Your message dated Sun, 1 Aug 2021 15:18:10 +0200
with message-id <YQafEt3LQ4MuO/[email protected]>
and subject line Re: Bug#757127: sudo-ldap segfaults if ldap is being used
has caused the Debian Bug report #757127,
regarding sudo-ldap segfaults if ldap is being used
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
757127: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757127
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sudo
Version: 1.8.9p5
raub@testfirewall:~$ sudo pwd
sudo: LDAP Config Summary
sudo: ===================
sudo: uri ldap://kdc.domain.com ldap://kdc2.domain.com
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,dc=domain,dc=com
sudo: binddn (anonymous)
sudo: bindpw (anonymous)
sudo: bind_timelimit 3
sudo: timelimit 3
sudo: deref 0
sudo: ssl start_tls
sudo: tls_cacertfile /etc/ssl/certs/ca-certificates.crt
sudo: use_sasl yes
sudo: sasl_auth_id (NONE)
sudo: rootuse_sasl -1
sudo: rootsasl_auth_id (NONE)
sudo: sasl_secprops (NONE)
sudo: krb5_ccname FILE:/tmp/host.tkt
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/certs/ca-certificates.crt
sudo: ldap_set_option: tls_cacert -> /etc/ssl/certs/ca-certificates.crt
sudo: ldap_initialize(ld, ldap://kdc.domain.com ldap://kdc2.domain.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 3
sudo: ldap_set_option(LDAP_OPT_TIMEOUT, 3)
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 3)
sudo: ldap_start_tls_s() ok
sudo: sudo_ldap_sasl_interact: SASL_CB_USER
Segmentation fault (core dumped)
raub@testfirewall:~$
>From syslog:
Jun 5 15:16:26 testfirewall kernel: [2068248.457275] sudo[22925]:
segfault at 0 ip 00007f2feb02692a sp 00007ffff55073b8 error 4 in
libc-2.19.so[7f2feaf9d000+1bc000]
That affects both local and network users. Now, if I disable ldap for
sudoers in /etc/nsswitch.conf,
# sudoers: files ldap
sudoers: files
Notes:
1) Originally reported on 2014-06-06 in
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1327268. I have a
feeling they will only do something after *their* upstream (debian) do
it.
2) Moved upstream to debian.
3) Todd C. Miller (he who wrote the package) has released source code
in June with patched code. See the sudo mailing list for when I
reported the issue, tested the patch, and Todd reported the patch
applied to the source code. In other words, the upstream source code
should be patched.
4) If anyone wants to be lazy, here is the patch as applied to
http://ftp.de.debian.org/debian/pool/main/s/sudo/sudo_1.8.9p5.orig.tar.gz
diff -u sudo-1.8.9p5/plugins/sudoers/ldap.c ldap.c
--- sudo-1.8.9p5/plugins/sudoers/ldap.c 2014-01-07 13:08:54.000000000 -0500
+++ ldap.c 2014-08-05 10:31:26.028023778 -0400
@@ -2405,10 +2405,11 @@
rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id);
if (new_ccname != NULL) {
- rc = sudo_set_krb5_ccache_name(old_ccname, NULL);
+ rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL);
if (rc == 0) {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
- "restore ccache name %s -> %s", new_ccname, old_ccname);
+ "restore ccache name %s -> %s", new_ccname,az
+ old_ccname ? old_ccname : "(none)");
} else {
sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
"gss_krb5_ccache_name() failed: %d", rc);
--- End Message ---
--- Begin Message ---
Version: 1.9.4
On Tue, Feb 23, 2021 at 08:46:22AM +0100, Marc Haber wrote:
> On Tue, Aug 05, 2014 at 10:41:14AM -0400, Mauricio Tavares wrote:
> > 4) If anyone wants to be lazy, here is the patch as applied to
> > http://ftp.de.debian.org/debian/pool/main/s/sudo/sudo_1.8.9p5.orig.tar.gz
> >
> > diff -u sudo-1.8.9p5/plugins/sudoers/ldap.c ldap.c
>
> I see this in the sudo source in Debian unstable. Can you confirm that
> this issue doesn't apply any more to current Debian?
Marking as fixed in vesion 1.9.4 which is the unstable version.
Greetings
Marc
--- End Message ---
